Assess
SLSA (Supply-chain Levels for Software Artifacts) is an OpenSSF security standard that defines progressive levels of build integrity and provenance. Not a tool itself, but a framework that tools implement — from L1 (build provenance generated) to L3 (tamper-proof even against compromised credentials).
Why It Matters for AI-Assisted Development
When AI agents are part of the build pipeline — generating code, running tests, creating artifacts — build integrity becomes more critical:
- Progressive Levels: L1 (provenance generated), L2 (hosted build with signed provenance), L3 (tamper-proof against insider threats).
- Spec v1.1: Backwards-compatible clarifications to threat model, attestation model, and verification procedures.
- Tooling: GitHub provenance generation, SLSA GitHub Generator, Google Cloud Build, and the AMPEL policy engine (Oct 2025).
Strengths
- Industry-standard progressive approach to build integrity
- Clear security levels useful for procurement and compliance conversations
- Growing tooling ecosystem
- Backed by Google and OpenSSF
Limitations
- Primarily addresses build integrity — not runtime, vulnerability management, or incident response
- Achieving L3 requires significant infrastructure investment
- No AI-specific tracks or guidance yet (concepts are transferable but tooling gaps remain)
- Adoption data is scarce outside Google and major open-source projects
Pricing
Open standard. Free.